#!/bin/bash

# ----------------------------------------------------------------------
# Filename:   coverACL.sh
# Version:    1.0
# Date:       2013/11/29
# Author:     huijing.hei
# Email:      huijing.hei@cs2c.com.cn
# Summary:    03系统安全功能-05ACL-01命令setfacl-05覆盖ACL
# Notes:       ***
# Copyright:    China Standard Software Co., Ltd.
# History：     
#             Version 1.0, 2013/11/29
#             - setfacl, and cover acl
# ----------------------------------------------------------------------
##! @TODO: setfacl2
##! @AUTHOR: huijing.hei
##! @VERSION: 1.0 
##! @OUT: 0 => success; 1 => failure

function DoSetup()
{
    # check user is root
    IsRoot
    EchoResult "check user is root"

    trap DoCleanup INT EXIT

    CmdCheck setfacl getfacl

    TEST_USER1=testu1
    TEST_USER_PASSWORD1=setfacl123
    TEST_USER2=testu2
    TEST_USER_PASSWORD2=setfacl123
    TEST_GROUP=testg1

    TMP_FILE=/tmp/setfacl$$

    # set umask 022
    [ `umask` != "0022" ] && umask 022

    touch ${TMP_FILE}

    # add group
    groupmod ${TEST_GROUP} > /dev/null 2>&1 && groupdel ${TEST_GROUP}
    groupadd ${TEST_GROUP}
    EchoResult "add group"

    # add two users
    AddUserPasswd ${TEST_USER1} ${TEST_USER_PASSWORD1} -g ${TEST_GROUP}
    EchoResult "add user ${TEST_USER1}"
    AddUserPasswd ${TEST_USER2} ${TEST_USER_PASSWORD2} -g ${TEST_GROUP}
    EchoResult "add user ${TEST_USER2}"

    # echo > TMP_FILE
    echo "test" > ${TMP_FILE}

}

##! @TODO: test
##! @AUTHOR: huijing.hei
##! @VERSION: 1.0 
##! @OUT: 0 => success; 1 => failure

function DoTest1()
{

    TEST_USER=$1
    # check nomarl user allowed to write file(root)
    su - ${TEST_USER} -c "echo change > ${TMP_FILE}"

    if [ $? -eq 0 ];then
        echo "${TEST_USER} write ${TMP_FILE} success"
        return 0
    else
        echo "${TEST_USER} write ${TMP_FILE} fail"
        return 1
    fi


}

##! @TODO: check user allowed to write to TMP_FILE
##! @AUTHOR: huijing.hei
##! @VERSION: 1.0 
##! @OUT: 0 => success; 1 => failure
function DoTest2()
{   
    # not allowed to write TMP_FILE
    for i in ${TEST_USER1} ${TEST_USER2}; do
        ! DoTest1 ${i}
        EchoResult "${i} not allowed to write to ${TMP_FILE}"
    done
    
    # setfacl
    setfacl -m u:${TEST_USER1}:rw-,g:${TEST_GROUP}:r ${TMP_FILE}
    EchoResult "setfacl user&group"

    # getfacl
    getfacl -p ${TMP_FILE} | grep -E "user:${TEST_USER1}:rw-|group:${TEST_GROUP}:r--"
    #getfacl ${TMP_FILE}
    EchoResult "getfacl"

    # allowed to write TMP_FILE
    DoTest1 ${TEST_USER1}
    EchoResult "${TEST_USER1} write to ${TMP_FILE}"


    ####################
    # setfacl
    setfacl --set u::rwx,u:${TEST_USER1}:rw-,u:${TEST_USER2}:-wx,g::r,o::-,g:${TEST_GROUP}:rwx ${TMP_FILE}
    EchoResult "setfacl --set"
    # check getfacl
    getfacl -p ${TMP_FILE} | grep -E "user:${TEST_USER1}:rw-|user:${TEST_USER2}:-wx|group::r--|group:${TEST_GROUP}:rwx|other::---"
    EchoResult "getfacl"


    # allowed to write TMP_FILE
    for i in ${TEST_USER1} ${TEST_USER2}; do
        DoTest1 ${i}
        EchoResult "${i} allowed to write to ${TMP_FILE}"
    done


}

##! @TODO: setfacl
##! @AUTHOR: huijing.hei
##! @VERSION: 1.0 
##! @OUT: 0 => success; 1 => failure

function DoCleanup()
{
    for i in ${TEST_USER1} ${TEST_USER2}; do
        id -u ${i} > /dev/null 2>&1 && userdel -r ${i}
        EchoResult "userdel ${i}"
    done
    groupdel ${TEST_GROUP}
    EchoResult "groupdel ${TEST_GROUP}"
    [ -f ${TMP_FILE} ] && rm -f ${TMP_FILE}
}

# include lib files

if [ -z "$SFROOT" ]
then
    echo "SFROOT is null, pls check"
    exit 1
fi

. ${SFROOT}/lib/Echo.sh
. ${SFROOT}/lib/Check.sh
. ${SFROOT}/testcases/Security/lib/UserOps.sh

export LANG=C

DoSetup
DoTest2
EchoResult "testcase: cover acl"
echo ""
